A critical security bulletin was released for a vulnerability in Cisco CloudCenter Orchestrator that "causes the...
Docker Engine management port to be reachable outside of the Cloud Orchestrator system." What does this mean, and how does the vulnerability work?
This vulnerability gives an unauthenticated, remote attacker the ability to install Docker containers to the system, and could potentially allow him to attain escalated privileges, such as root. This was made possible by a misconfiguration that makes the Docker management port accessible to attackers, and allows them to submit Docker containers to the Cisco CloudCenter Orchestrator without an administrator's knowledge.
Docker is open source software that allows you to run multiple instances of an application on virtualized hardware, with the flexibility to have these containers moved into cloud platforms for high portability. These containers are typically more lightweight than a usual virtual machine, and will run under a host that's sharing similar libraries. The applications running in these containers can quickly be spun up or ported to hosts that support them. The concern with the recently disclosed vulnerability from Cisco means there could be additional containers or applications running in your CloudCenter Orchestrator that weren't configured by you, and which are being used for malicious purposes.
If an attacker is able to insert a container into the Cisco CloudCenter Orchestrator, he is also able to host malicious software on your infrastructure and use your hardware to perform whatever devious acts he can think of on your equipment. This could include hosting phishing sites, command-and-control sites or any other number of malicious uses.
The Cisco advisory also mentions that the containers are installed with high privileges, which means there's the possibility for additional compromise on the CloudCenter Orchestrator beyond installing bad Docker containers. Cisco states that there may be a secondary impact that allows the attacker to gain root privileges to the system. If your system is found to be vulnerable, or even exploited, your incident response plan needs to take action immediately.
According to Cisco, this vulnerability affects all releases of Cisco CloudCenter where the Docker Engine TCP port 2375 is open and bound to local address 0.0.0.0. There are no other Cisco products currently affected by this vulnerability at this time.
Cisco recommends running netstat –ant |grep 2375 to validate that the port is open and bound to 0.0.0.0. Another recommendation is to use the docker images command to see which running containers are currently installed on the Cisco CloudCenter Orchestrator. You can run the command docker ps –a to get a running list of all containers. You'll have to understand your environment after seeing the results to know which might have been inserted by an attacker.
There are other workarounds for those that might not have a support contract. The first is to restrict the Docker Engine port to bind to 127.0.0.1, instead of 0.0.0.0. The second is to use external firewall devices to filter access to the management port.
This is a security flaw that needs to be patched as soon as possible, and Cisco has released both a patch and an advisory for the vulnerability to assist with remediating the threat.
Ask the Expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)
Learn how hackers are using Twitter as command-and-control servers for malware
Read about the different use cases for bare-metal servers and virtual machines
Find out if virtual machine introspection can improve cloud security
Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices
Related Q&A from Matthew Pascucci
While there are no set rules, there are some security recommendations when it comes to virtual machines running on one host. Learn the best practices... Continue Reading
Poisoned search results have spread the Zeus Panda banking Trojan throughout Google. Learn what this means, how search engine poisoning works and ... Continue Reading
A report from CrowdStrike highlights the growth of malware-less attacks using certain command-line tools. Learn how to handle these growing attacks ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.